Fwd: [SECURITY] Critical vulnerability in Gluon - Bugfix release on Thursday, 2022-05-05

Axel Beckert abe at deuxchevaux.org
Di Mai 3 15:54:03 CEST 2022


Hi,

On Tue, May 03, 2022 at 11:15:33AM +0200, David Lutz via ff3l wrote:
> So wie es aussieht gibt es eine gravierende Sicherheitslücke in Gluon.
> 
> Wie gravierend weiß ich nicht, jedoch ist sie wohl gravierend genug, dass
> weitere Details erst am Donnerstag bekannt gegeben werden

Es sieht so aus, als wäre die Katze aus dem Sack:

https://www.bleepingcomputer.com/news/security/unpatched-dns-bug-affects-millions-of-routers-and-iot-devices/

Jedenfalls klingt das schwer danach:

»A vulnerability in the domain name system (DNS) component of a
popular C standard library that is present in a wide range of IoT
products may put millions of devices at DNS poisoning attack risk.

A threat actor can use DNS poisoning or DNS spoofing to redirect the
victim to a malicious website hosted at an IP address on a server
controlled by the attacker instead of the legitimate location.

The library uClibc and its fork from the OpenWRT team, uClibc-ng.
Both variants are widely used by major vendors like Netgear, Axis, and
Linksys, as well as Linux distributions suitable for embedded
applications.«

		Gruss, Axel
-- 
PGP: 2FF9CD59612616B5      /~\  Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe at deuxchevaux.org  \ /  Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe at noone.org  X
https://axel.beckert.ch/   / \  I love long mails: https://email.is-not-s.ms/



Mehr Informationen über die Mailingliste ff3l